External Document - Adding more AWS accounts to Azure AD SAML authentication 


Please refer to the document before starting: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial 
This page will drive through adding more AWS accounts to this process. 


Download the metadata file from the Azure portal : Azure AD Connect » Enterprise Applications » Amazon Web Services (AWS) 
»Single Sign-on » Click Download next to Federation Metadata XML 

Log into the AWS account which needs this integration with local 1AM user and MFA or root account in worst case 
Navigate to 1AM service » Identity providers 

Create Provider » Provider Type » SAML » Name WAAD » Metadata File »Next Step » Create 

Navigate to Roles » Create Role » SAML 2.0 federation » SAML Provider WAAD » Allow programmatic and AWS Management 
Console access » Next: Permissions » Search Administrator Access & Check Box » Next: Tags » Key: Name, 
Value:XXXX-aws-admin where XXXX is the account name all in lower case »Next:Review » Role Name: XXXX-aws-admin and 
Description also same »Create Role 

Similarly create remaining other roles like XXXX-finance-admin, XXXX-read-only-user, XXXX-devops-user, XXXX-tpm-user with different 
policies to be attached. Later also these role policies can be changed as per requirements per AWS account but its always better to keep 
same policies for each role across the AWS accounts 

Once done, please make a note of account ID for that AWS account either from EC2 properties or 1AM dashboard as highlighted below: 
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Now login to Azure Portal and navigate to Groups: https://portal.azure.eom/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/ 
AIIGroups 

Create new groups with the same name as that of 1AM Roles created earlier and note down the Object Ids of these : 
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• Once all these groups are created and Object IDs are noted down, login to Microsoft Graph Explorer: URL 

• Select GET » beta » https://graph.microsoft.com/beta/servicePrincipals/750b8f24-1b2d-491f-8f12-34e1028513ac » Run Query 

• Please note that the above link has Service Principal of the existing AWS Application from Azure AD, if the result fails then this ID might 
have changed 

• DONOT use DELETE option from the menu, this will remove entire AWS Enterprise application from your Azure Subscription 
with only the App registration entry left behind 

• Ideally in the Response Preview it shows the Manifest of the application with all the details: 

• Now add the below section in the Request Body, making necessary changes to the content as per above details like AD group name, 
group ID, SAML provider ID 




















{ 

"allowedMemberTypes": [ 

"User" 

] , 

"description": "nw-devops-user,WAAD", 

"displayName": "nw-devops-user,WAAD", 

"id": "b361ae96-ccd7-471a-a7cc-88153788131f", 
"isEnabled": true, 

"origin": "ServicePrincipal", 

"value": 

"arn:aws:iam::512088425928:role/nw-devops-user,arn:aws:iam::5120884 
25928:saml-provider/WAAD" 

} 


Duplicate this as many times based on number of AD groups created with , between the second to fourth flower bracket closure and 
leave the last one without, Example below is for XXXX account where only 2 roles and ad groups were created. 


"allowedMemberTypes": [ 

"User" 

] , 

"description": "master-aws-admin,WAAD", 

"displayName": "master-aws-admin,WAAD", 

"id": "26e490c7-7cd0-487e-b2ee-687e366393bl", 
"isEnabled": true, 

"origin": "ServicePrincipal", 

"value": 

"arn:aws:iam::ACCOUNTID:role/master-aws-admin,arn:aws:iam::ACCOUNTI 
D:saml-provider/WAAD" 

} 


Replace the name to the role/AD group names that were created for this AWS account, id to be replaced with the Object ID of the AD 
group that we created and also account number should also be updated as below: 





"allowedMemberTypes": [ 

"User" 

] , 

"description": "master-aws-admin,WAAD", 

"displayName": "master-aws-admin,WAAD", 

"id": "2 6e4 90c7-7cd0-4 8 7e-b2ee-68 7e3 6 63 93bl", 
"isEnabled": true, 

"origin": "ServicePrincipal", 

"value": 

"arn:aws:iam::ACCOUNTID:role/master-aws-admin,arn:aws:iam::ACCOUNTI 
D:sami-provider/WAAD" 

}, 

{ 

"allowedMemberTypes": [ 

"User" 

] , 

"description": "master-finance-admin,WAAD", 
"displayName": "master-finance-admin,WAAD", 

"id": "8181dec7-lb39-4df3-9ccl-736af2cf5704", 
"isEnabled": true, 

"origin": "ServicePrincipal", 

"value": 

"arn:aws:iam::ACCOUNTID:role/master-finance-admin,arn:aws:iam::ACCO 
UNTID:sami-provider/WAAD" 

} 


Double check id of the role/group to the Object id from Azure AD Group properties, account ID and names of the roles 

Once verified, copy this content in the Graph Explorer Request Body appending next to the section from where it was copied from. Make 

sure there is proper, and json validation done 

Now Select Patch » beta » same URL with Service principal » Run Query 

Now Select Get » beta » same URL with Service principal » Run Query and verify that the new entry has come in the response body, 
as below: 
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master-aws-admln 


"description": "master-aws-admin.WAAD", 

"displayName": "master-aws-admin.WAAD", 

"id": "26e490c7-7cd0-487e-b2ee-687e366393bl", _ 

"isEnabled”: true, 

"origin": "ServicePrincipal", 

"value": "arn:aws:iam::693629377736:role/master-aws-admin,arn:aws:iam::693629377736:saml-provider/WAA0" 


© Success - Status Code 200, 387i 

Response Preview Response Headers 


"allowedMemberTypes": [ 
"User" 


master-aws-| 


"description" : "master-aws-admin,WAAD" , 

"displayName" : "master-aws-admin.WAAD" , 

"id": "26e490c7-7cd0-487e-b2ee-687e366393bl" , 

"isEnabled": true, 

"origin": "ServicePrincipal", _ 

"value”: "arn:aws:iam::693629377736:role/master-aws-admin,arn:aws:iam::693629377736:saml-provider/WAAD" 


"allowedMemberTypes": [ 
"User" 
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Ideally this should return Success, it fails it will show error message which may be like miss placed comma or object id clash/duplicate or 
name duplicate, hence the previous step verification is very much important 

Once its Success here, navigate to AWS Application in Azure AD: https://portal.azure.eom/#blade/Microsoft_AAD_IAM/ManagedAppMen 
uBlade/Users/objectld/750b8f24-1b2d-491f-8f12-34e1028513ac/appld/671e788b-fb2e-4bbb-a946-02305ced415f/menultemld/QuickStart 
and go to Users and Groups 

Make sure that there is no entry of the Role Assigned that you are trying for the AWS account 

Click Add User »Users and Groups » Select and search for the group name » under Role also select the same Name and click on 
Assign 

Repeat the same for other groups created for this account and make sure that group is assigned with same name Role ex. below: 



• This should now show the account that you have configured (highlighted below) with ONLY those groups which you are part of: 





























<- -> C i signin.aws.amazon.com/saml 

Pi Home S JIRA Site24x7 S Others Q https://customer.... S Noodle £) EXT File System |... [3 10 Useful Sar (Sys... 4“ Gold Jewell 


aws 



Select a role: 


▼ Account: noodleai (693629377736) 

master-aws-admin 

▼ Account: noodleai-eaip (221191849743) 

eaip-aws-admin 

eaip-read-only-user 

▼ Account: noodleway (512088425928) 

nw-aws-admin 

nw-read-only-user 


Sign In 
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Select the newly added AWS account and Role to login and confirm that all the configurations are successful 










